IdentityServer / IdentityServer2

[deprecated] Thinktecture IdentityServer is a light-weight security token service built with .NET 4.5, MVC 4, Web API and WCF.
Other
409 stars 291 forks source link

Throwing exceptions from ValidateUser #816

Closed DAnsell closed 9 years ago

DAnsell commented 10 years ago

Hi

We’re using identity server in an active authentication scenario and have an implementation of the IUserRepository interface in which ValidateUser calls a WCF service for authentication. Everything is working fine, however if the authentication fails for a reason other than the credentials being invalid (e.g. if the user’s account is locked) we’d like to be able to return that information to the user. Given that the ValidateUser returns a bool, what’s the best way to achieve this? If the WCF service throws a fault exception and that is re-thrown by the user repository then the client receives a MessageSecurityException (which is fair enough) but any information in the exception is lost. The same thing happens if we throw a SecurityException.

I’m aware that providing information about the cause of a logon failure is in itself a potential security breach, but a locked account is something that can occur in our environment and we're required to let our users know.

Any help would be greatly appreciated

Cheers

leastprivilege commented 10 years ago

We don't support anything beyond true/false - we know that this is a limitation but v2 is "done". If you want to add that feature, we can talk about it.

DAnsell commented 10 years ago

Ok, thanks Dominick. I wasn't expecting any changes in v2, it was more along the lines of whether there was any type of exception we could throw within ValidateUser that could propagate back to the client with information intact.

leastprivilege commented 10 years ago

No - don't think so.